b'Department of Homeland Security\n   Office of Inspector General\n\n            Technical Security Evaluation of\n                   DHS Activities at\n            Los Angeles International Airport\n                      (Redacted)\n\n\n\n\n       Notice: The Department of Homeland Security, Office of\n       the Inspector General, has redacted this report for\n       public release.\n\n\n\n\nOIG-09-01                                             October 2008\n\x0c                                                         Office of Inspector General\n                                                         U.S. Department of Homeland Security\n                                                         Washington, DC 20528\n\n\n\n\n                                    October 1, 2008\n\n                                            Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of the implementation of technical\nand information security policies and procedures at DHS components located at Los\nAngeles International Airport, California. It is based on interviews with employees and\nofficials of relevant agencies and institutions, direct observations, and reviews of\napplicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n                                            Richard L. Skinner\n                                            Inspector General\n\x0cTable of Contents/Abbreviations \n\n\nExecutive Summary ............................................................................................................ 1 \n\n\nBackground ......................................................................................................................... 2 \n\n\nResults of Review ............................................................................................................... 5\n \n\n\n           CBP Did Not Comply Fully With DHS Sensitive System Policies........................ 5 \n\n           Recommendations................................................................................................. 14 \n\n           Management Comments and OIG Analysis ......................................................... 15 \n\n\n           ICE Did Not Comply Fully With DHS Sensitive System Policies....................... 16 \n\n           Recommendations................................................................................................. 21 \n\n           Management Comments and OIG Analysis ......................................................... 22 \n\n\n           TSA Did Not Comply Fully With DHS Sensitive System Policies...................... 23 \n\n           Recommendations................................................................................................. 29 \n\n           Management Comments and OIG Analysis ......................................................... 29 \n\n\n           USCG Did Not Comply Fully With DHS Sensitive System Policies .................. 29 \n\n           Recommendations................................................................................................. 33 \n\n           Management Comments and OIG Analysis ......................................................... 33 \n\n\nAppendices\n\n     Appendix A:             Purpose, Scope, and Methodology .....................................................34 \n\n     Appendix B:             Management\xe2\x80\x99s Comments to Draft Report ........................................36 \n\n     Appendix C:             Major Contributors to This Report.....................................................52 \n\n     Appendix D:             Report Distribution ............................................................................53 \n\n\n\n\n\n             Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                                (Redacted)\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n\n   CBP                         Customs and Border Protection\n   CIO                         Chief Information Officer\n   DAA                         Designated Accrediting Authority\n   DHS                         Department of Homeland Security\n   DHS Directive 4300A         DHS Sensitive Systems Policy Directive 4300A\n   DHS 4300A Handbook          DHS 4300A Sensitive Systems Handbook\n   FISMA                       Federal Information Security Management Act\n   FTP                         File Transfer Protocol\n   FWFL                        Far West Field LAN\n   HVAC                        Heating, Ventilation, and Air Conditioning\n   ICE                         Immigration and Customs Enforcement\n   ISA                         Interconnection Security Agreement\n   ISSM                        Information Systems Security Manger\n   IT                          Information Technology\n   LAN                         Local Area Network\n   LAX                         Los Angeles International Airport\n   NOC                         Network Operation Center\n   OIG                         Office of Inspector General\n   SAC                         Special Agent in Charge\n   SOC                         Security Operation Center\n   SSP                         System Security Plan\n   TA-FISMA                    Trusted Agent FISMA\n   TECS                        Treasury Enforcement Communications System\n   TSA                         Transportation Security Administration\n   UPS                         Uninterruptible Power Supply\n   USCG                        United States Coast Guard\n   WLAN                        Wireless Local Area Network\n\n\n\n\n       Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                          (Redacted)\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                     As part of our Technical Security Evaluation Program, we\n                     evaluated technical and information security policies and\n                     procedures of Department of Homeland Security components at\n                     Los Angeles International Airport. Customs and Border\n                     Protection, Immigration and Customs Enforcement, Transportation\n                     Security Administration, and the United States Coast Guard\n                     operate information technology systems or have a presence at this\n                     airport in support of Homeland Security operations.\n\n                     Our evaluation focused on how these components had\n                     implemented computer security operational, technical, and\n                     management controls for their information technology assets at this\n                     site. We performed onsite inspections of the areas where these\n                     assets were located, interviewed Department of Homeland Security\n                     staff, and conducted technical tests of internal controls. We also\n                     reviewed applicable policies, procedures, and other relevant\n                     documentation.\n\n                     The information technology security controls implemented at this\n                     site have deficiencies that, if exploited, could result in the loss of\n                     confidentiality, integrity, and availability of their information\n                     technology systems. Specifically, these components need to\n                     improve their physical security operational controls for\n                     telecommunications equipment and servers. These components\n                     also could improve their technical controls by\n\n\n                     Additionally, these components need to improve their management\n                     controls by upgrading documentation to include information\n                     technology assets at Los Angeles International Airport.\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                         (Redacted)\n\n                                            Page 1\n\x0cBackground\n                    We designed our Technical Security Evaluation Program to\n                    provide senior Department of Homeland Security (DHS) officials\n                    with timely information on whether they had properly\n                    implemented DHS information technology (IT) security policies at\n                    critical sites. Our program is based on DHS Sensitive Systems\n                    Policy Directive 4300A (DHS Directive 4300A), which applies to\n                    all DHS components. It provides direction to managers and senior\n                    executives regarding the management and protection of sensitive\n                    systems. DHS Directive 4300A also outlines policies relating to\n                    the operational, technical, and management controls that are\n                    necessary for ensuring confidentiality, integrity, availability,\n                    authenticity, and non-repudiation within the DHS IT infrastructure\n                    and operations. A companion document\xe2\x80\x94the DHS 4300A\n                    Sensitive Systems Handbook (DHS 4300A Handbook)\xe2\x80\x94provides\n                    detailed guidance on the implementation of these policies.\n\n                    DHS IT security policies are organized under operational,\n                    technical, and management controls. According to DHS Directive\n                    4300A, these controls are defined as follows:\n\n                             \xe2\x80\xa2\t Operational Controls \xe2\x80\x93 Focus on mechanisms\n                                primarily implemented and executed by people. These\n                                controls are designed to improve the security of a\n                                particular system, or group of systems. These controls\n                                require technical or specialized expertise and often rely\n                                on management and technical controls.\n\n                                                         **********\n\n                             \xe2\x80\xa2\t Technical Controls \xe2\x80\x93 Focus on security controls\n                                executed by IT systems. These controls provide\n                                automated protection from unauthorized access or\n                                misuse. They facilitate detection of security violations,\n                                and support security requirements for applications and\n                                data.\n\n                                                         **********\n\n\n\n\n     Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                        (Redacted)\n\n                                           Page 2\n\x0c                                    \xe2\x80\xa2\t Management Controls \xe2\x80\x93 Focus on managing both the\n                                       IT security system and system risk. These controls\n                                       consist of risk mitigation techniques and concerns\n                                       normally addressed by management.\n\n                           Customs and Border Protection (CBP), Immigration and Customs\n                           Enforcement (ICE), Transportation Security Administration\n                           (TSA), and the United States Coast Guard (USCG) each have\n                           activities at Los Angeles International Airport (LAX). They rely\n                           on a range of IT assets to support their respective missions. As a\n                           Category X airport, LAX is classified among those airports with\n                           the largest number of enplanements. 1\n\n                           CBP\xe2\x80\x99s activities at LAX include processing passengers and\n                           baggage on arriving international flights. CBP staff at LAX use\n                           their systems to access various applications, including the Treasury\n                           Enforcement Communications System (TECS). 2\n\n                           ICE\xe2\x80\x99s Office of Investigations at the El Segundo Field Office\n                           supports operations at LAX that focus on a broad array of national\n                           security, financial, and smuggling violations, for example,\n\n                               \xe2\x80\xa2\t   Illegal arms exports,\n                               \xe2\x80\xa2\t   Financial crimes,\n                               \xe2\x80\xa2\t   Commercial fraud,\n                               \xe2\x80\xa2\t   Human trafficking,\n                               \xe2\x80\xa2\t   Narcotics smuggling,\n                               \xe2\x80\xa2\t   Child pornography/exploitation, and\n                               \xe2\x80\xa2\t   Immigration fraud.\n\n                           Using their unique legal authorities, ICE special agents also\n                           conduct investigations aimed at protecting critical infrastructure\n                           industries that are vulnerable to sabotage, attack, or exploitation.\n\n                           TSA\xe2\x80\x99s activities include screening passengers and baggage on all\n                           departing flights at LAX. In support of these activities, TSA has\n                           operations in several buildings at LAX, and TSA staff use Digital\n                           Subscriber Lines circuits to access computer systems.\n\n1\n  There are five categories of airports\xe2\x80\x94X, I, II, III, and IV. Category X airports have the largest number of\nenplanements and category IV airports have the smallest number.\n2\n  TECS is a CBP mission-critical law enforcement application designed to identify people and businesses\nsuspected of or involved in violation of federal law. TECS is also a communications system permitting\nmessage transmittal among DHS law enforcement offices and other national, state, and local law\nenforcement agencies.\n\n           Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                              (Redacted)\n\n                                                   Page 3\n\x0c               USCG personnel at LAX, designated Air Station Los Angeles,\n               maintain search and rescue helicopters 24 hours a day, 365 days a\n               year. They are responsible for protecting the coastal area of\n               Southern California from Dana Point to Morro Bay. Additionally,\n               USCG helicopters conduct homeland security patrols for the Ports\n               of Los Angeles, Long Beach, and Hueneme. Its responsibilities\n               include the over-water approach and departure corridors for LAX\n               and the Channel Islands National Parks.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 4\n\x0cResults of Review\n        CBP Did Not Comply Fully With DHS Sensitive System Policies\n                 CBP could strengthen operational, technical, and management controls for\n                 its servers, routers, and switches operating at LAX. For example, CBP\n                 could improve business continuity and physical security, and ensure that\n\n                 Additionally, CBP should take actions to ensure that its IT assets are\n                 scanned on a regular basis. Further, required system documentation\n                 should be updated to include CBP\xe2\x80\x99s IT assets at LAX. Collectively, these\n                 deficiencies could place at risk the confidentiality, integrity, and\n                 availability of the data stored, transmitted, and processed by CBP at LAX.\n\n                         Operational Controls\n\n                         Onsite implementation of operational controls that did not conform\n                         fully to DHS policies included\n\n                         Additionally, CBP needs to improve its\n\n\n                                         Communications Redundancy\n\n                         CBP experienced a network outage that disrupted its operations for\n                         more than 10 hours and affected more than 17,000 passengers on\n                         August 11, 2007. 3 This outage resulted in significant delays in\n                         processing arriving international passengers, causing the terminals\n                         to fill with passengers waiting to be processed. Because of this\n                         situation, the LAX fire marshal restricted the number of passengers\n                         that CBP could stage in the waiting areas and jet ways.\n                         Consequently, CBP staff at LAX were forced to keep many\n                         passengers on board aircraft for hours following international\n                         flights. Additionally, CBP staff were forced to reroute some\n                         flights to a nearby airport. This outage was exacerbated by an old\n                         IT infrastructure, which did not have network or power redundancy\n                         at LAX.\n\n                         Subsequently, CBP has taken steps to ensure communications\n                         redundancy at LAX. Specifically, CBP added circuits and\n                         hardware to remove a single point-of-failure deficiency that\n                         previously existed. CBP also established a new\n\n3\n Our draft report, Customs and Border Protection Did Not Manage Effectively a Network Outage at Los\nAngeles International Airport, will provide further information on the outage.\n\n          Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 5\n\x0c               telecommunications closet in a second building at LAX. These\n               actions ensure that CBP users at LAX will not be limited to one\n               communications pathway when accessing CBP systems.\n\n                                         Business Continuity\n\n               CBP\xe2\x80\x99s business continuity capability needs to be strengthened at\n               LAX. For example,\n\n\n\n\n               CBP has implemented uninterruptible power supplies (UPS)\n\n\n\n\n               Further, installing UPS devices for telecommunications equipment\n               is not enough to ensure that CBP workstations will be in operation\n               following a power failure.\n\n\n\n\n               However, CBP has taken steps to ensure that they will be able to\n               process passengers during a communications or power outage that\n               lasts for a long duration.\n\n\n\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cDHS must have the capability to ensure continuity of\n                        essential functions under all circumstances.\xe2\x80\x9d\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 6\n\x0c                                 Physical Security Controls\n\n               CBP has taken steps to place its communications assets in locked\n               cabinets within areas controlled by CBP. These actions will help\n               secure CBP\xe2\x80\x99s IT assets at LAX from damage.\n\n\n\n\n               Figure 1: CBP replaced the old rack (left) with a new locking cabinet (right)\n\n               However, CBP has not completed this conversion at all locations at\n               LAX.\n\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cControls for deterring, detecting, restricting, and\n                        regulating access to sensitive areas shall be in place and\n                        will be sufficient to safeguard against possible loss, theft,\n                        destruction, damage, hazardous conditions, fire, malicious\n                        actions, and natural disasters.\xe2\x80\x9d\n\n                                 Environmental Controls\n\n               During our September 2007 walk-through of DHS facilities, we\n               noted that many of the CBP telecommunications rooms had\n               temperatures exceeding 70 degrees Fahrenheit. While CBP is\n               placing this equipment in cabinets that contain fans, there are no\n               temperature sensors in the cabinets to automatically turn on the\n               fans or to alert CBP staff if temperature exceeds 70 degrees\n               Fahrenheit.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 7\n\x0c               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cTemperatures in computer storage areas should be held\n                        between 60 and 70 degrees Fahrenheit.\xe2\x80\x9d\n\n\n\n\n               Additionally, at LAX, CBP is relying on the facility\xe2\x80\x99s fire\n               suppression system. However, there were also fire extinguishers in\n               two telecommunications rooms that either were not charged or had\n               not been inspected within 12 years. Fire extinguishers that will not\n               perform could cause CBP staff to waste valuable time during an\n               emergency.\n\n               Further, in several of the server and telecommunications rooms\n               there was poor electrical wiring, misplaced ceiling tiles, dust, and\n               storage of non-IT assets. While we are aware that construction is\n               ongoing, CBP should take steps to ensure that its IT assets will not\n               be accidentally damaged during this transition period.\n\n\n\n\n                        Figure 2: Missing ceiling tiles and inadequate storage at LAX.\n\n               Technical Controls\n\n               CBP\xe2\x80\x99s implementation of technical controls at LAX that did not\n               conform fully to DHS\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 8\n\x0c                                  Inadequate Network Monitoring\n\n\n\n\n                                               Specifically, CBP has centralized\n               its network monitoring activities\n\n\n\n\n                                   Unsupported Operating System\n\n               CBP is operating six refugee fingerprint processing machines at\n               LAX. At least one of these machines has an unsupported operating\n               system. CBP is now working with the vendor to upgrade the\n               operating systems on the refugee fingerprint devices at LAX and\n               four other airports.\n\n               Operating systems that are not supported by their vendors may not\n               receive updates or patches when a vulnerability or exploitation has\n               been identified.\n\n                               Inadequate Vulnerability Assessment\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 9\n\x0c               According to DHS Directive 4300A:\n\n                        \xe2\x80\x9cComponents shall conduct vulnerability assessments\n                        and/or testing to identify security vulnerabilities on IT\n                        systems containing sensitive information annually or\n                        whenever significant changes are made to the IT systems.\n                        This should include scanning for unauthorized wireless\n                        devices. Evidence that annual assessments have been\n                        conducted should be included with Security Assessment\n                        Reports (SAR).\xe2\x80\x9d\n\n                                      Inadequate Access Control\n\n               CBP could strengthen the access controls on its servers at LAX.\n\n\n\n\n               According to the DHS 4300A Handbook,\n\n                        \xe2\x80\x9cPasswords shall be at least 8 characters in length \xe2\x80\xa6 shall\n                        be changed or expire in 180 days or less.\xe2\x80\x9d\n\n\n\n\n               Automated systems are vulnerable to fraudulent or malicious\n               activity by anyone with the authority or capability to access\n               information not required to perform their job-related duties.\n\n               According to the DHS 4300A Handbook,\n\n                        \xe2\x80\x9cTo protect sensitive information and limit the damage that\n                        can result from accident, error, or unauthorized use, the\n                        principle of least privilege must be applied. The principle\n                        of least privilege requires that users be granted the most\n                        restrictive set of privileges (or lowest clearance) needed for\n                        performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                        to access only the system resources needed to fulfill their\n                        job responsibilities.\xe2\x80\x9d\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 10\n\x0c                                                Vulnerable Services\n\n                          CBP servers, routers, and switches at LAX have numerous\n\n\n\n\n                                                           increase the risk that CBP\n                          systems may be compromised by malicious users or external\n                          attacks.\n\n                          According to DHS Directive 4300A:\n\n                                  \xe2\x80\x9cComponents shall manage systems to reduce\n                                  vulnerabilities through vulnerability testing, promptly\n                                  installing patches, and eliminating or disabling unnecessary\n                                  services, if possible.\xe2\x80\x9d\n\n                          Further, CBP\xe2\x80\x99s switches at LAX were not properly configured to\n                          prevent an \xe2\x80\x9cinsider\xe2\x80\x9d from gaining unauthorized privileges and\n                          information. 4\n\n                                                  This may allow an attacker to capture login\n                          credentials and remotely take control of the router and change or\n                          delete configuration files.\n\n\n\n\n4\n According to the National Institute of Standards and Technology\xe2\x80\x99s Threat Assessment of Malicious Code\nand Human Threats (NISTIR 4939), \xe2\x80\x9cInsiders are legitimate users of a system. When they use that access\nto circumvent security, that is known as an insider attack.\xe2\x80\x9d\n\n          Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 11\n\x0c\x0c                          According to DHS Directive 4300A:\n\n                                   \xe2\x80\x9cComponents shall conduct and document risk assessments\n                                   every three years, when high impact weaknesses are\n                                   identified, or whenever significant changes to the system\n                                   configuration or to the operational/threat environment have\n                                   been made, whichever occurs first.\xe2\x80\x9d\n\n                          According to DHS 4300A Sensitive Security Handbook,\n                          Attachment D \xe2\x80\x93Type Accreditation:\n\n                                   \xe2\x80\x9cTo account for unique physical and logical variations at\n                                   the site level, a description of any differences and the\n                                   associated risks at each site are documented, and the site-\n                                   specific documents are incorporated as attachments or\n                                   appendices to the master C&A package.\xe2\x80\x9d\n\n                                            Wireless Local Area Network\n\n                          In November 2006, CBP installed a WLAN at LAX to provide\n                          high-speed mobile data connectivity and wireless coverage to CBP\n                          agents operating in and around LAX. However, CBP staff at LAX\n                          did not test the WLAN once it was connected to the CBP network.\n                          During the time of our visit at LAX, December 2007, CBP staff\n                          were unable to operate this system because of technical problems.\n\n                          According to CBP staff, CBP did not test the WLAN after it was\n                          connected to the CBP network and does not know if CBP staff\n                          have ever used this system. Additionally, CBP did not document\n                          the WLAN in the FWFL SSP. Further, the WLAN was not\n                          included in CBP\xe2\x80\x99s systems inventory, DHS\xe2\x80\x99 Trusted Agent FISMA\n                          (TA-FISMA) reporting tool. 7\n\n                          According to the DHS 4300A:\n\n                                   \xe2\x80\x9cComponent [Information Systems Security Managers]\n                                   ISSMs shall ensure that a risk assessment is conducted\n                                   whenever any modifications are made to sensitive IT\n                                   systems, networks, or to their physical environments,\n                                   interfaces, or user community. SSPs shall be updated and\n                                   re-certification conducted if warranted.\xe2\x80\x9d\n\n\n7\n DHS uses an enterprise management tool, Trusted Agent FISMA, to collect and track data related to all\nPlans of Action and Milestones, including self-assessments, and certification and accreditation data.\n\n          Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 13\n\x0c               CBP management cannot be assured that IT systems and data are\n               adequately secured unless the various activities leading to\n               accreditation are performed and the Designated Accrediting\n               Authority (DAA) has accepted in writing the risks associated with\n               operating the systems.\n\n               Miscellaneous Issue\n\n               CBP operates 1,900 IT devices at various facilities throughout the\n               country that are not regularly scanned for vulnerabilities.\n\n\n\n\n                                 Further, the CBP SOC maintains a list of an\n               additional 1,048 devices that it has excluded from being scanned\n               for vulnerabilities. During the course of this evaluation, CBP\n               started requiring vulnerability assessments\n                                                                          Finally,\n               according to CBP staff, they have developed a new approach to\n               vulnerability assessments\n                         starting in February 2008.\n\n               These deficiencies increase the risk that CBP IT systems used at\n               LAX and other locations are vulnerable                       . CBP is\n               at increased risk that a device may be open to attack if it does not\n               perform vulnerability assessments regularly.\n\n      Recommendations\n               We recommend that the CBP Chief Information Officer (CIO) take\n               the following actions for CBP activities at LAX:\n\n               Recommendation #1: Implement business continuity of\n               operations capability for CBP facilities at LAX, including the\n               installation of a backup power supply.\n\n               Recommendation #2: Implement stronger physical security and\n               environmental controls to protect CBP\xe2\x80\x99s IT assets from possible\n               loss, theft, destruction, accidental damage, hazardous conditions,\n               fire, malicious actions, and natural disasters.\n\n               Recommendation #3: Use a connection protocol that employs\n               secure authentication.\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 14\n\x0c               Recommendation #4: Apply the necessary operating system\n               upgrades.\n\n               Recommendation #5: Close all unnecessary ports from the\n               servers, routers, and switches.\n\n               Recommendation #6: Update the FWFL SSP and perform risk\n               assessments whenever there are significant changes to the system.\n\n               Recommendation #7: Regularly perform vulnerability\n               assessments on IT systems containing sensitive information, as\n               required by DHS Directive 4300A.\n\n      Management Comments and OIG Analysis\n               We obtained written comments on a draft of this report from the\n               DHS Chief Information Officer. We have included a copy of the\n               comments in their entirety at Appendix B.\n\n               In the comments, CBP concurred with recommendations one, two,\n               and four through seven. These recommendations will be\n               considered resolved but open pending verification of all planned\n               actions.\n\n               CBP did not concur with recommendation three.\n\n\n\n\n               We maintain that CBP should comply with DHS 4300A and use a\n               secure communications protocol.\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 15\n\x0c           ICE Did Not Comply Fully With DHS Sensitive System Policies\n                   ICE could strengthen operational, technical, and management policies for\n                   the server, router, and switches at the El Segundo Field Office. 8 For\n                   example, ICE could enhance physical security of its server room,\n\n                                                  Additionally, required system documentation\n                   should be updated to include ICE\xe2\x80\x99s IT assets at the El Segundo Field\n                   Office. Collectively, these deficiencies could place at risk the\n                   confidentiality, integrity, and availability of the data stored, transmitted,\n                   and processed by ICE at El Segundo.\n\n                            Operational Controls\n\n                            Onsite implementation of operational controls that did not conform\n                            fully to DHS policies included physical security and environmental\n                            controls. Specifically, ICE could better protect its IT assets by\n                            restricting access to ICE\xe2\x80\x99s server room or by placing the IT assets\n                            in a locked cabinet. Additionally, ICE IT assets are at risk of\n                            damage or malfunctioning because of the absence of an adequate\n                            HVAC system in its server room. These environmental and\n                            physical security controls deficiencies place the IT assets at the El\n                            Segundo Field Office at increased risk from unauthorized access\n                            and damage.\n\n                                     Physical Security and Environmental Controls\n\n                            The ICE suite at El Segundo was not properly secure to prevent\n                            unauthorized access.\n\n\n\n\n8\n    The El Segundo Field Office of Investigations supports ICE operations at LAX.\n\n             Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                                (Redacted)\n\n                                                   Page 16\n\x0c               ICE also needs better physical security controls to limit access to\n               its server room, which is located next to the main entrance to ICE\n               office space. However, the server room door is always left open\n               because the room does not have an adequate HVAC system. For\n               example, the server room temperature was 76.6 degrees Fahrenheit\n               at the time of our visit. Additionally, anyone entering the server\n               room would have access to ICE back-up tapes, server, router, and\n               switches because they are not stored in a locked cabinet. Figure 4\n               illustrates how the server room is not restricted, and the door is left\n               open because of the absence of an HVAC system. Figure 5 shows\n               the ICE IT assets that are not in a locked cabinet.\n\n\n\n\n                                 Figure 4: ICE server room with open door\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 17\n\x0c                             Figure 5: ICE server not secured in a locked cabinet\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cTo protect sensitive information and limit the damage that\n                        can result from accident, error, or unauthorized use, the\n                        principle of least privilege must be applied. The principle\n                        of least privilege requires that users be granted the most\n                        restrictive set of privileges (or lowest clearance) needed for\n                        performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                        to access only the system resources needed to fulfill their\n                        job responsibilities.\xe2\x80\x9d\n\n                                                  *********\n\n                        \xe2\x80\x9cControls for deterring, detecting, restricting, and\n                        regulating access to sensitive areas shall be in place and\n                        will be sufficient to safeguard against possible loss, theft,\n                        destruction, damage, hazardous conditions, fire, malicious\n                        actions, and natural disasters.\xe2\x80\x9d\n\n                                                  *********\n\n                        \xe2\x80\x9cTemperatures in computer storage areas should be held\n                        between 60 and 70 degrees Fahrenheit.\xe2\x80\x9d\n\n               Technical Controls\n\n               ICE\xe2\x80\x99s implementation of technical controls that did not conform\n               fully to DHS policies includes operating a server that was running\n               an unsupported operating system. Additionally, ICE\xe2\x80\x99s server,\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 18\n\x0c               router, and switches were not properly configured to prevent an\n               insider from gaining unauthorized privilege and information.\n               These deficiencies increase the risk that ICE IT systems used at El\n               Segundo Field Office are vulnerable to internal attacks.\n\n                                   Unsupported Operating System\n\n               An unsupported operating system was running on ICE\xe2\x80\x99s server at\n               the El Segundo Field Office.\n\n                                                        Operating systems that are\n               not supported by their vendors may not receive updates or patches\n               when a vulnerability or exploitation has been identified.\n\n                                             Access Controls\n\n               ICE could strengthen its access controls at the El Segundo Field\n               Office. Specifically, users had administrative access to multiple\n               files and directories. Additionally, shared administrative login\n               accounts were in place, allowing multiple people to use the same\n               account for system access.\n\n               This configuration increases the risk of loss or theft of ICE\n               mission-sensitive data. For example, unauthorized personnel may\n               have the ability to write, alter, or delete data that reside on shared\n               resources.\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cTo protect sensitive information and limit the damage that\n                        can result from accident, error, or unauthorized use, the\n                        principle of least privilege must be applied. The principle\n                        of least privilege requires that users be granted the most\n                        restrictive set of privileges (or lowest clearance) needed for\n                        performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                        to access only the system resources needed to fulfill their\n                        job responsibilities.\xe2\x80\x9d\n\n                                         Vulnerable Services\n\n\n\n\n                                                                      An attacker could\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 19\n\x0c               potentially exploit this vulnerability to gain a list of usernames and\n               other sensitive information.\n\n               Further, ICE\xe2\x80\x99s switches at El Segundo were not properly\n               configured to prevent an insider from gaining unauthorized\n               privileges and information.\n\n                                                This may allow an attacker to\n               capture login credentials, remotely take control of the devices, and\n               change or delete configuration files.\n\n               According to DHS Directive 4300A:\n\n                        \xe2\x80\x9cTelnet shall not be used to connect to any DHS computer.\n                        A connection protocol such as Secure Shell (SSH) that\n                        employs secure authentication (two factor, encrypted, key\n                        exchange, etc.) and is approved by the Component shall be\n                        used instead.\xe2\x80\x9d\n\n               Management Controls\n\n               ICE\xe2\x80\x99s implementation of management controls at El Segundo did\n               not conform fully to DHS policies. For example, ICE did not\n               provide a system security plan that included the IT assets located at\n               the El Segundo Field Office. Additionally, ICE\xe2\x80\x99s server and\n               telecommunications equipment uses the CBP backbone for\n               connectivity. However, ICE did not have an interconnection\n               security agreement (ISA) between ICE and CBP for use of this\n               system connectivity. These management controls deficiencies\n               increase the risk to ICE\xe2\x80\x99s IT investments, systems, and data from\n               new threats and vulnerabilities for which safeguards have not been\n               implemented.\n\n               According to the DHS 4300A:\n\n                        \xe2\x80\x9cComponent [Information Systems Security Managers]\n                        ISSMs shall ensure that a risk assessment is conducted\n                        whenever any modifications are made to sensitive IT\n                        systems, networks, or to their physical environments,\n                        interfaces, or user community. SSPs shall be updated and\n                        re-certification conducted if warranted.\xe2\x80\x9d\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 20\n\x0c               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cComponents shall document interconnections with other\n                        external networks with an Interconnection Security\n                        Agreement (ISA).\xe2\x80\x9d\n\n                                                    **********\n\n                        \xe2\x80\x9cInterconnections between DHS Components shall require\n                        an ISA when there is a difference in the security\n                        categorizations for confidentiality, integrity, and\n                        availability for the two networks. ISAs shall be signed by\n                        both DAAs or by the official designated by the DAA to\n                        have signatory authority.\xe2\x80\x9d\n\n      Recommendations\n               We recommend that the ICE CIO take the following actions for\n               ICE activities at LAX:\n\n               Recommendation #8: Implement stronger physical security to\n               protect ICE\xe2\x80\x99s IT assets from possible loss, theft, destruction,\n               accidental damage, hazardous conditions, fire, malicious actions,\n               and natural disasters.\n\n               Recommendation #9: Provide an adequate HVAC system for the\n               server room or obtain a waiver from the DAA.\n\n               Recommendation #10: Use a connection protocol that employs\n               secure authentication.\n\n               Recommendation #11: Apply the necessary operating system\n               upgrades to the server.\n\n               Recommendation #12: Eliminate or disable unnecessary ports\n               from the server and router.\n\n               Recommendation #13: Establish and maintain the required\n               interconnection security agreements.\n\n               Recommendation #14: Include the IT assets at the El Segundo\n               Field Office in the system security plan for the Special Agent in\n               Charge, West Region.\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 21\n\x0c      Management Comments and OIG Analysis\n               In the comments, ICE concurred with recommendations 8 through\n               12. These recommendations will be considered resolved but open\n               pending verification of all planned actions. ICE did not concur\n               with recommendations 13 and 14.\n\n               According to ICE, the deficiency associated with recommendation\n               13 is not applicable as both systems would have an aggregate\n               security categorization of \xe2\x80\x98high.\xe2\x80\x99\n\n\n\n\n               Additionally, according to ICE, the deficiency associated with\n               recommendation\n\n                            However, according to DHS 4300A, Attachment D,\n               Type Accreditation:\n\n                        \xe2\x80\x9cThe documentation contains two critical types of\n                        information:\n                            o\t Site-specific details (e.g., deviations to\n                               functionality, configurations, and physical controls)\n                            o\t Site-specific risk analysis (e.g., additional risks that\n                               are perpetrated by the deviations at the site)\xe2\x80\x9d\n\n\n\n\n                                                We maintain that ICE should\n               comply with DHS 4300A and include the El Segundo Field Office\n               in the appropriate system security plan.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 22\n\x0cTSA Did Not Comply Fully With DHS Sensitive System Policies\n       TSA could strengthen operational, technical, and management controls for\n       its servers, router, and switches operating at LAX. For example, TSA\n       could remove excess storage from its server room, implement fire\n       suppression, and ensure that the most recent software security patches are\n       installed on its server, router, and switches. Additionally, not all TSA IT\n       resources at LAX are included in the TSA system inventory. Collectively,\n       these deficiencies could place at risk the confidentiality, integrity, and\n       availability of the data stored, transmitted, and processed by TSA at LAX.\n\n                Operational Controls\n\n                Onsite implementation of operational controls that did not conform\n                fully to DHS policies included excess storage near computer\n                equipment and inadequate environmental controls. Specifically,\n                TSA could better protect its IT assets by ensuring that the\n                immediate areas around the server and communication equipment\n                are not used for general storage.\n\n                                             Physical Security\n\n                TSA administrative functions for LAX operations are performed in\n                an offsite facility where TSA has several rooms with IT\n                equipment. Although, these rooms are behind several locked\n                doors, TSA needs to improve its physical security. For example,\n                the server room at this location was being used to store new\n                equipment as well as old equipment prior to disposal. There were\n                also two unbraced shelves that could hinder access to the TSA\n                servers, router, and switches following an earthquake. Figure 6\n                illustrates the condition of the TSA server room.\n\n                Additionally, the TSA telecommunications room in the logistics\n                department contains a switch and a server that were not in a locked\n                cabinet. This room was also used to store some non-IT related\n                items. Further, TSA has a switch in another room that also was not\n                in a locked cabinet.\n\n                The examples mentioned above increase the risk of accidental loss\n                of power or damage to IT resources supporting TSA operations at\n                LAX.\n\n\n\n\n Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                    (Redacted)\n\n                                       Page 23\n\x0c               According to the DHS 4300A Handbook,\n\n                        \xe2\x80\x9cControls for deterring, detecting, restricting, and\n                        regulating access to sensitive areas shall be in place and\n                        will be sufficient to safeguard against possible loss, theft,\n                        destruction, damage, hazardous conditions, fire, malicious\n                        actions, and natural disasters.\xe2\x80\x9d\n\n\n\n\n                                 Figure 6: TSA server room used for storage\n\n                                       Environmental Controls\n\n               TSA also could improve environmental controls for its IT assets.\n               For example, the temperature was 76.7 degrees Fahrenheit in the\n               telecommunications room in the logistics department. Further,\n               TSA was using a portable fan to cool down the switch mounted on\n               the wall and the stand-alone server underneath the table. Figure 7\n               illustrates the condition of the TSA telecommunications room at\n               LAX.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 24\n\x0c                           Figure 7: Portable fan used to cool switch and server area\n\n               TSA\xe2\x80\x99s communications equipment was also at risk of failure\n               because of the absence of temperature or humidity sensors in the\n               communications rooms. The absence of environmental sensors\n               and proper HVAC for IT equipment increases the risk that TSA\xe2\x80\x99s\n               IT assets may malfunction.\n\n               According to the DHS 4300A Handbook,\n\n                        \xe2\x80\x9cThe condition of the air is important to prevent damage to\n                        IT equipment.\xe2\x80\x9d\n\n               Additionally, TSA did not have a fire suppression system in place\n               at LAX. Specifically, no water sprinklers or fire extinguishers\n               were at the server room or telecommunication closets. The\n               absence of an adequate fire suppression system places TSA\xe2\x80\x99s IT\n               assets at risk of possible loss, destruction, damage, hazardous\n               conditions, fire, malicious actions, and natural disasters. As a\n               compensating control, TSA has already deployed fire extinguishers\n               to resolve this deficiency.\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cWhen a centralized fire suppression system is not\n                        available, fire extinguishers should be readily available.\xe2\x80\x9d\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 25\n\x0c               Technical Controls\n\n               TSA\xe2\x80\x99s implementation of technical controls at LAX that did not\n               conform fully to DHS policies include inadequate access controls,\n               insecure communications protocols, and open ports with known\n               vulnerabilities. These deficiencies increase the risk that TSA IT\n               systems used at LAX are vulnerable to internal attacks.\n\n                                             Access Controls\n\n               Configuration management for the TSA server needs to be\n               strengthened. Specifically, the Lightweight Directory Access\n               Protocol is configured to allow anonymous access to the TSA\n               server. As a result, an unauthorized user or a hacker could log in\n               to the system without proper credentials.\n               Additionally, the Windows built-in user group \xe2\x80\x9cEVERYONE\xe2\x80\x9d was\n               configured to allow full control and access to shared data. This\n               may allow an unauthenticated user to upload malicious code onto a\n               shared resource.\n\n               The purpose of access controls is to protect against the\n               unauthorized disclosure, modification, or destruction of data\n               residing in these systems, as well as the applications themselves.\n               Automated systems are vulnerable to fraudulent or malicious\n               activity by anyone with the authority or capability to access\n               information not required to perform their duties.\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cTo protect sensitive information and limit the damage that\n                        can result from accident, error, or unauthorized use, the\n                        principle of least privilege must be applied. The principle\n                        of least privilege requires that users be granted the most\n                        restrictive set of privileges (or lowest clearance) needed for\n                        performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                        to access only the system resources needed to fulfill their\n                        job responsibilities.\xe2\x80\x9d\n\n                                Insecure Communications Protocols\n\n               TSA\xe2\x80\x99s switches at LAX were not properly configured to prevent an\n               insider from gaining unauthorized privileges and information. For\n               example, telnet was being used on a TSA switch at LAX.\n               However, telnet does not encrypt login and password credentials.\n               This may allow an attacker to capture login credentials and\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 26\n\x0c               remotely take control of the router and change or delete\n               configuration files.\n\n               Additionally, the File Transfer Protocol (FTP) port 21 was active,\n               leaving the device vulnerable to unauthorized access. FTP is not\n               permitted on DHS systems due to the potential risk when used for\n               non-administrative purposes. For instance, just like telnet, FTP\n               transmits login and password credentials in clear text.\n\n               According to DHS Directive 4300A:\n\n                        \xe2\x80\x9cTelnet shall not be used to connect to any DHS computer.\n                        A connection protocol such as Secure Shell (SSH) that\n                        employs secure authentication (two factor, encrypted, key\n                        exchange, etc.) and is approved by the Component shall be\n                        used instead.\xe2\x80\x9d\n\n                                                ************\n\n                        \xe2\x80\x9cFile Transfer Protocol (FTP) shall not be used to connect\n                        to or from any DHS computer. A connection protocol that\n                        employs secure authentication (two factor, encrypted, key\n                        exchange, etc.) and is approved by the Component shall be\n                        used instead.\xe2\x80\x9d\n\n                                                Vulnerable Services\n\n               TSA\xe2\x80\x99s servers, router, and switches at LAX have numerous open\n               ports and services on its system that may not be necessary. For\n               example, the following services with known vulnerabilities were\n               running:\n\n                        \xe2\x80\xa2\t The server was configured to allow Domain Name\n                           System zone transfers to be performed. This\n                           potentially poses a security risk of denial of service\n                           attacks.\n                        \xe2\x80\xa2\t Web Server was running on a nonstandard port.\n                        \xe2\x80\xa2\t The version of Internet Information Services running\n                           on the system is vulnerable to denial of service attacks.\n\n               Additionally, the Null session was configured to allow a user to\n               connect to the system without authentication. An attacker could\n               potentially exploit the null session to gain a list of usernames and\n               other potentially sensitive information. Unnecessary open ports\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 27\n\x0c               and services increase the risk that TSA systems may be\n               compromised by malicious users or external attacks.\n\n               According to DHS Directive 4300A:\n\n                        \xe2\x80\x9cComponents shall manage systems to reduce\n                        vulnerabilities through vulnerability testing, promptly\n                        installing patches, and eliminating or disabling unnecessary\n                        services, if possible.\xe2\x80\x9d\n\n               Management Controls\n\n               TSA\xe2\x80\x99s implementation of management controls at LAX did not\n               conform fully to DHS policies. Specifically, not all TSA IT\n               resources at LAX are accounted for in its system inventory. For\n               example, the logistics server and database are not included in the\n               TSA system inventory or the TSA certification and accreditation\n               process. TSA management cannot be assured that IT systems and\n               data are adequately secured unless the various activities leading to\n               accreditation are performed and the DAA has accepted in writing\n               the risks associated with operating the systems.\n\n               These management controls deficiencies increase the risk to TSA\xe2\x80\x99s\n               IT investments, systems, and data from new threats and\n               vulnerabilities for which safeguards have not been implemented.\n\n               According to DHS 4300A Handbook:\n\n                        \xe2\x80\x9cThe initial Risk Assessment is updated and revised and\n                        becomes the final Risk Assessment as part of the overall\n                        accreditation process after the controls are implemented\n                        and tested and the results/corrective actions are\n                        implemented. Through the development of the final Risk\n                        Assessment, the definition of the program residual risk can\n                        be determined for the DAA\xe2\x80\x99s acceptance during\n                        accreditation.\xe2\x80\x9d\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 28\n\x0c       Recommendations\n                We recommend that the TSA CIO take the following actions for\n                TSA activities at LAX:\n\n                Recommendation #15: Improve its physical and environmental\n                controls to protect TSA\xe2\x80\x99s IT assets from possible accidental\n                damage, hazardous conditions, fire, malicious actions, and natural\n                disasters.\n\n                Recommendation #16: Use a connection protocol that employs\n                secure authentication.\n\n                Recommendation #17: Eliminate or disable unnecessary ports\n                from the servers, router, and switches.\n\n                Recommendation #18: Ensure that all IT systems are included in\n                TSA\xe2\x80\x99s inventory.\n\n       Management Comments and OIG Analysis\n                In the comments, TSA concurred with recommendations 15\n                through 18. These recommendations will be considered resolved\n                but open pending verification of all planned actions.\n\nUSCG Did Not Comply Fully With DHS Sensitive System\nPolicies\n       USCG could strengthen operational and technical controls for its server,\n       router, and switches operating at LAX. For example, USCG back-up\n       tapes should be stored in an off-site facility. Additionally, USCG could\n       strengthen access controls and ensure that only necessary ports are open\n       on its server, router, and switches.\n                                                               Collectively, these\n       deficiencies could place at risk the confidentiality, integrity, and\n       availability of the data stored, transmitted, and processed by USCG at\n       LAX.\n\n                Operational Controls\n\n                Onsite implementation of operational controls that did not conform\n                fully to DHS policies included USCG IT assets that were not in a\n                locked cabinet. Further, USCG needs to better safeguard its\n                sensitive data stored on back-up tapes. Unauthorized personnel\n\n Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                    (Redacted)\n\n                                       Page 29\n\x0c               may have access to USCG IT assets and sensitive data stored in the\n               back-up tapes. Figure 8 below illustrates USCG\xe2\x80\x99s open-rack pack\n               with its back-up tapes stored in the USCG server room.\n\n\n                                                   To ensure the availability and\n               integrity of USCG data, back-up tapes should be stored in an off-\n               site facility accessible by authorized personnel only.\n\n\n\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cComponents shall ensure backup media are stored off site\n                        in accordance with their business continuity and IT\n                        Contingency plans.\xe2\x80\x9d\n\n               Technical Controls\n\n               USCG\xe2\x80\x99s implementation of technical controls at LAX that did not\n               conform fully to DHS policies include access control and password\n               management requirements.\n\n                                              These deficiencies increase the\n               risk that USCG IT systems used at LAX are vulnerable to internal\n               attacks.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 30\n\x0c                                             Access Controls\n\n\n\n\n               Excess privilege given to users can put USCG data at risk by\n               allowing insiders and others the opportunity to penetrate a system.\n               This could result in the loss, theft, or destruction of USCG data.\n\n               Additionally, USCG could strengthen password policies on its\n               LAX systems.\n\n\n\n\n               According to the DHS 4300A Handbook:\n\n                        \xe2\x80\x9cTo protect sensitive information and limit the damage that\n                        can result from accident, error, or unauthorized use, the\n                        principle of least privilege must be applied. The principle\n                        of least privilege requires that users be granted the most\n                        restrictive set of privileges (or lowest clearance) needed for\n                        performance of authorized tasks\xe2\x80\x94i.e., users should be able\n                        to access only the system resources needed to fulfill their\n                        job responsibilities.\xe2\x80\x9d\n\n                                             System Patches\n\n               According to our technical scans,\n                                                                      USCG data\n               may be compromised if patches are not installed in a timely\n               fashion.\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 31\n\x0c                                          Vulnerable Services\n\n\n\n\n               Unnecessary open ports and services increase the risk that USCG\xe2\x80\x99s\n               systems at LAX may be compromised by malicious users or\n               external attacks.\n\n               According to DHS Directive 4300A:\n\n                        \xe2\x80\x9cComponents shall manage systems to reduce \n\n                        vulnerabilities through vulnerability testing, promptly \n\n                        installing patches, and eliminating or disabling unnecessary \n\n                        services, if possible.\xe2\x80\x9d \n\n\n                            Insecure Communications Protocols\n\n\n\n\nTechnical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                   (Redacted)\n\n                                      Page 32\n\x0c                According to DHS Directive 4300A:\n\n                         \xe2\x80\x9cTelnet shall not be used to connect to any DHS computer.\n                         A connection protocol such as Secure Shell (SSH) that\n                         employs secure authentication (two factor, encrypted, key\n                         exchange, etc.) and is approved by the Component shall be\n                         used instead.\xe2\x80\x9d\n\n                Management Controls\n\n                We did not find any reportable management control deficiencies\n                for the USCG site at LAX.\n\nRecommendations\n                We recommend that the USCG CIO take the following actions for\n                USCG activities at LAX:\n\n                Recommendation #19: Store back-up tapes in an off-site facility.\n\n                Recommendation #20: Implement the password policy\n                established by DHS Directive 4300A.\n\n                Recommendation #21: Develop a process for implementing\n                identified patches in a timely fashion.\n\n                Recommendation #22: Eliminate or disable unnecessary ports\n                from the server and router.\n\n                Recommendation #23: Use a connection protocol that employs\n                secure authentication.\n\nManagement Comments and OIG Analysis\n                In the comments, USCG concurred with recommendations 19\n                through 23. These recommendations will be considered resolved\n                but open pending verification of all planned actions.\n\n\n\n\n Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                    (Redacted)\n\n                                       Page 33\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n           Purpose, Scope, and Methodology\n\n                             This review is part of a program to evaluate, on an ongoing basis,\n                             the implementation of DHS technical and information security\n                             policies and procedures at DHS sites. The objective of this\n                             program is to determine the extent to which critical DHS sites\n                             comply with the department\xe2\x80\x99s technical and information security\n                             policies and procedures, according to DHS Directive 4300A and its\n                             companion document, the DHS 4300A Handbook.\n\n                             We coordinated the implementation of this technical security\n                             evaluation program with the DHS Chief Information Security\n                             Officer (CISO). We mutually agreed to the wording for the Rules\n                             of Behavior for the technical testing. 9 Our entrance and exit\n                             conferences were held with DHS components officials.\n\n                             Technical evaluations were performed only after the DHS CISO\n                             and DHS components official agreed to our negotiated Rules of\n                             Behavior. These technical evaluations included:\n\n                                      \xe2\x80\xa2\t Security scans of the servers, routers, and switches\n                                         using various software packages, and\n                                      \xe2\x80\xa2\t Scans to determine whether wireless devices were\n                                         being used by DHS components.\n\n                             We reviewed applicable DHS and components\xe2\x80\x99 policies and\n                             procedures, and components\xe2\x80\x99 responses to our site surveys and\n                             technical questionnaires. For example, we used components\xe2\x80\x99\n                             responses to identify occupied space, server rooms, and\n                             telecommunications closets. Our onsite review included a physical\n                             review of components\xe2\x80\x99 space and interviews with components\n                             staff.\n\n                             Our technical review included technical scans of security controls\n                             as well as scans for DHS wireless devices operating at LAX.\n                             Additionally, we reviewed guidance provided by DHS to the\n                             components in the areas of patch management, operation systems,\n                             and wireless security.\n\n                             We provided components with briefings concerning the results of\n                             fieldwork and the information summarized in this report. We\n                             conducted this review between September 2007 and March 2008.\n\n9\n    The Rules of Behavior established the boundaries and schedules for the technical evaluations.\n\n           Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                                  (Redacted)\n\n                                                     Page 34\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                        We performed our work according to the Quality Standards for\n                        Inspection of the President\xe2\x80\x99s Council on Integrity and Efficiency\n                        and pursuant to the Inspector General Act of 1978, as amended.\n\n                        We appreciate the efforts by DHS management and staff to provide\n                        the information and access necessary to accomplish this review.\n                        Our points of contact for this report are Frank Deffer, Assistant\n                        Inspector General for Information Technology, (202) 254-4100,\n                        and Roger Dressler, Director for Information Systems and\n                        Architectures, (202) 254-5441. Major OIG contributors to the\n                        review are identified in Appendix C.\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 35\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 36\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 37\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 38\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 39\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 40\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 41\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 42\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 43\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 44\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 45\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 46\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 47\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 48\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport \xe2\x80\x93\n                                             (Redacted)\n\n                                                Page 49\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 50\n\x0cAppendix B\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n      Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                             (Redacted)\n\n                                                Page 51\n\x0cAppendix C\nMajor Contributors to This Report\n\n\n\n                       Roger Dressler, Director, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Kevin Burke, Audit Manager, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Domingo Alvarez, Senior Auditor, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Ernie Bender, Senior Auditor, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Karen Nelson, Senior Auditor, Department of Homeland Security,\n                       Information Technology Audits\n\n                       Matthew Worner, Program Analyst, Department of Homeland\n                       Security, Information Technology Audits\n\n                       Syrita Morgan, Management and Program Assistant, Department\n                       of Homeland Security, Information Technology Audits\n\n                       Richard Saunders, Director, Department of Homeland Security,\n                       Advanced Technology Division\n\n                       Steve Matthews, Manager, Department of Homeland Security,\n                       Advanced Technology Division\n\n                       Jeffrey Devine, Technical Evaluator, Department of Homeland\n                       Security, Advanced Technology Division\n\n                       Sukhonthip Rueangvivatanakij, Technical Evaluator, Department\n                       of Homeland Security, Advanced Technology Division\n\n                       Shannon Frenyea, Referencer\n\n\n\n\n         Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                            (Redacted)\n\n                                               Page 52\n\x0cAppendix D\nReport Distribution\n\n\n\n                       Department of Homeland Security\n\n                       Secretary\n                       Deputy Secretary\n                       Chief of Staff\n                       Deputy Chief of Staff\n                       General Counsel\n                       Executive Secretary\n                       Under Secretary, Management\n                       Assistant Secretary, Office of Policy\n                       Assistant Secretary, Office of Public Affairs\n                       Assistant Secretary, Office of Legislative Affairs\n                       Chief Information Officer (CIO), DHS\n                       Chief Privacy Officer\n                       Deputy CIO, DHS\n                       Chief Information Security Officer, DHS\n                       Chief Information Security Officer, CBP\n                       Chief Information Security Officer, ICE\n                       Chief Information Security Officer, TSA\n                       Chief Information Security Officer, USCG\n                       Information Systems Security Manager, CBP\n                       Information Systems Security Manager, ICE\n                       Information Systems Security Manager, TSA\n                       Information Systems Security Manager, USCG\n                       DHS Audit Liaison\n                       CBP Audit Liaison\n                       ICE Audit Liaison\n                       TSA Audit Liaison\n                       USCG Audit Liaison\n\n                       Office of Management and Budget\n\n                       Chief, Homeland Security Branch\n                       DHS OIG Budget Examiner\n\n                       Congress\n\n                       Congressional Oversight and Appropriations Committees, as\n                       appropriate\n\n\n\n\n         Technical Security Evaluation of DHS Activities at Los Angeles International Airport\n                                            (Redacted)\n\n                                               Page 53\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'